One of the latest trends of BYOD solutions is to employ "Mobile Application Management (MAM)," which allows organizations to wrap existing applications to perform policy enforcement and data/transport security at the application layer rather than at the device level. Today's organizations face a complex choice: there are a plethora of BYOD application wrapping products on the market, each with their own colorful datasheets and hefty security claims. How well do these BYOD application wrapping solutions stand up to their claims? And perhaps just as important, how well do they defend against real-life mobile threats?
In this talk we will analyze the application wrapping solutions offered by some of the major commercial BYOD products on the market today. We'll reverse engineer how these application wrapping solutions work for both iOS and Android; as well as, analyze their authentication, cryptography, interprocess communication (IPC), and client-side security control implementations. Finally, we'll explore the security vulnerabilities we've discovered in major vendor products that could result in the compromise of sensitive information.